The sub-techniques beta is now live! Read the release blog post for more info.


HyperBro is a custom in-memory backdoor used by Threat Group-3390.[1][2][3]

ID: S0398
Platforms: Windows
Version: 1.0
Created: 09 July 2019
Last Modified: 26 September 2019

Techniques Used

Domain ID Name Use
Enterprise T1073 DLL Side-Loading

HyperBro has used a legitimate application to sideload a DLL to decrypt, decompress, and run a payload.[1]

Enterprise T1106 Execution through API

HyperBro has the ability to run an application (CreateProcessW) or script/file (ShellExecuteW) via API.[1]

Enterprise T1107 File Deletion

HyperBro has the ability to delete a specified file.[1]

Enterprise T1055 Process Injection

HyperBro can run shellcode it injects into a newly created process.[1]

Enterprise T1105 Remote File Copy

HyperBro has the ability to download additional files.[1]

Enterprise T1113 Screen Capture

HyperBro has the ability to take screenshots.[1]

Enterprise T1035 Service Execution

HyperBro has the ability to start and stop a specified service.[1]

Enterprise T1071 Standard Application Layer Protocol

HyperBro has used HTTPS for C2 communications.[1]

Enterprise T1007 System Service Discovery

HyperBro can list all services and their configurations.[1]

Groups That Use This Software

ID Name References
G0027 Threat Group-3390 [1] [2] [3]